On Wed, Jun 24, 2015 at 5:29 AM, Helmut Jarausch <[email protected]> wrote: > > I wouldn't like to use an OTP generator on my smartphone because Big Brother > might > watching me when I use this. > I feel like the German parliament which has been hacked by a foreign secrete > service. > Parliamentarians have to resort to "classic" types of communication now. > > I'd prefer a solution where I carry the OTPs with me in printed form. > Is this possble with the google-authenticator, as well? >
Well, the protocol for generating the TOTPs is standard: https://tools.ietf.org/html/rfc6238 I don't have any recommendations, but it seems like there are various dongles out there which generate the codes. There might be others around here that have a bit more experience with this but you could probably get them working. Pre-printed OTPs are a different matter, but they suffer from the obvious vulnerability that they can be copied (which is definitely a big contrast from a hardware OTP generator which is typically hardened against such attacks - having a code is basically proof that you have the device in your possession RIGHT NOW vs having had it in your possession at some time in the past). I used to use skey (which is packaged on Gentoo) for this. Skey uses OTPs which are sequential instead of time-based. You can use it in a challenge/response mode which requires software (such as on your phone), but you can also pre-print a big list of keys and carry them with you. When ssh asks you for key# 100 you look for it on the list and type it in. You can print more keys at any time as they get used up. The Yubikey is getting a lot of attention right now with protocols like U2F (as well as OTP). It is cheap and capable. The downside of the Ubikey is that I believe you can only use it if it is plugged into a USB port, and protocols like U2F are designed more around browsers than various other bits of software that authenticate (like POP, ssh, etc). However, I believe you can plug it into a PC, hit the button, and have it act as a keyboard and type in a TOTP. So, if you're sshing from PCs with USB ports that accept external keyboards it might be an option for you. I've been assuming that you're talking about ssh all along. That tends to work well since ssh clients generally support an interactive login with some kind of challenge/response or such. It breaks down for other protocols that don't have allowance for that like IMAP/POP/etc, unless you ditch the regular password and just pass the OTP as your password (and honestly I'm not sure how great an idea that is). And, of course, unless your mail client keeps the connection open that could get really painful anytime it checks for new mail. All that said, on the list of things I worry about each day, the "Google is secretly uploading data from my phone to their servers without telling/asking" fear is pretty low on the list. Google authenticator does not sync to any kind of central server, and its source is published. Sure, the OS could be spying on you, but so could your ethernet card or any number of other things. But, if you really want strong security an un-networked hardware token whose seed can be set by the user is probably your best bet. -- Rich
